Spike: Identify tasks to enable use of Cosign

• Pipeline changes for signing with cosign

  • Identify what commands need to be run in the pipeline, in which jobs

• Certificate

  • What CA and cert?
    • Preferably a DoD code signing cert. @blake.burkhart has asked @phillip.record if this is possible
    • Otherwise, a P1 PKI cert
  • What kind of cert?
    • If DoD code signing, will likely be a (long lived?) leaf certificate issued to "Platform One Iron Bank Code Signing" or something
    • If we use P1 PKI, could either be a leaf cert, or an intermediate CA
  • Where to store the cert?
    • If a leaf certificate, Amazon KMS or Cloud HSM may be good option?
      • Cosign supports awskms:// https://github.com/sigstore/cosign/blob/main/KMS.md
      • Pipeline would need an AWS access key
      • This kills off Vault!
    • If a leaf certificate, Vault transit secret engine
      • Cosign supports hashivault:// https://github.com/sigstore/cosign/blob/main/KMS.md
    • Not sure there's a good way to use a vault intermediate CA with cosign. It should be possible to script generation of an ephemeral certificate though

• Certificate issuance

  • Figure out what kind of CSR is needed for issuance
    • Test now what openssl commands work for CSR generation?

• Key rotation

  • What do we do when the cert expires?
  • I think Kyverno policy, etc can be written against the root CA and subject key name
  • When rotating, try to reuse the private key and Common Name/Subject Alternative Name
    • Ask the CA if this type of reissuance is possible

• Rekor

  • At this time we do not plan on deploying Rekor, or using a public Rekor instance
    • This is fine right? No tools will have any problems

• Registry

  • Certificates are pushed to the registry as a tag like sha256-e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.cosign
  • This will interact poorly with mutable tags. If we overwrite a tag, we'll have a left over signature tag
    • Just leave it anyway? Let users download this if they want to?
    • Write a custom garbage collection script for this?

• Harbor

  • Harbor will not currently show a ✅ for cosign signatures
    • An update will improve this: https://github.com/goharbor/community/pull/172 https://github.com/goharbor/harbor/issues/15964
  • Currently all the sha256-*.cosign tags will appear in the artifacts list in the Harbor UI
    • I think this is fine for now, not sure if a Harbor update will address this?

• Cosign vulnerability attestation

  • Cosign has an "attestation" feature, mostly intended for things like in-toto attestation
  • Recently this feature was extended to support a "vulnerability" scan attestation https://github.com/sigstore/cosign/pull/1168
    • We could use this to sign daily report from VAT and tools like Kyverno can enforce policy on it
  • We could also try writing a custom attestation format to include VAT ABC/ORA data too
  • TODO: try some of this out in the future. Does not need to be done initally/MVP.

• End user UX

  • Add cosign instructions to be to IBFE
    • Don't think a "download" link is needed? Instead cosign shell commands to run to perform verification.
      • like we have docker pull commands
  • User instructions about Root CA and verification instructions?
    • What CA is used? What CN/SAN is in the signing cert?
    • Maybe things like Kyverno policy too.
  • Longer term TODO: document some (skopeo?) steps to download and move both the image and signature across an air gap
  • Future TODO? Perhaps a ✅ on IBFE with some info on hover?

• Cosign attestation

  • cosign vuln attestation format
    • We can use the cosign vuln format to store scanner results in the registry as an attestation
    • We can use a custom JSON foramt (perhaps just the VAT API response) and store it as an attestation too
  • Cosign attach SBOM
    • It is possible to store SBOMs in the registry with cosign
  • Ask IBFE if they could pull all these artifacts directly from the registry. We could kill off S3 entirely
  • @blake.burkhart's notes from testing attestation_notes.sh